Malware-Jail – Tool For Javascript Malware Analysis, Deobfuscation and Payload Extraction

Malware-Jail - Tool For Javascript Malware Analysis, Deobfuscation and Payload Extraction

Malware-Jail is a sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. It is written for Node.js.

It runs on any operating system. Developed and tested on Linux, Node.js v6.6.0.

Note: Due to use of some ES6 features, you’ll need Node.js >= 6.x.

Malware-Jail is written for Node’s ‘vm’ sandbox. Currently implements WScript (Windows Scripting Host) context  env/wscript.js , at least the part frequently used by malware. Internet browser context is partialy implemented  env/browser.js .

How To Install Malware-Jail

You’ll need Node.js and npm installed. Because malware-jail is built on top of minimist, iconv-lite and entities.

Pull from GitHub

Pull the source with git:

Then install all the dependecies (minimist, entities, iconv-lite) with:

Usage

In the examples folder you may find a deactivated malware file. Run the analysis with:

Internet browser based malware you may test with

At the end of the analysis the complete sandbox context is dumped into a ‘sandbox_dump_after.json‘ file.

You may want to examine following entries of ‘sandbox_dump_after.json‘:

  • eval_calls – array of all eval() calls arguments. Useful if eval() is used for deobfucation.
  • wscript_saved_files – content of all files that the malware attempted to drop. The actual files are saved into the output/ directory too.
  • wscript_urls – all URLs that the malware intended to GET or POST.
  • wscript_objects – WScript or ActiveX objects created.

sandbox_dump_after.json‘ uses JSONPath, implemented by JSON-js/cycle.js, to save duplicated or cyclic references to a same object.

Sample Output

In the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf

Examples

The malware folder contains real-world malware samples. Most of them downloaded from https://malwr.com.

Example: Analysing Wileen.js

Taking malicious script from malwr.com: Wileen.js
Apparently the malware does not execute if run from within a browser:

Therefore you may want to use an alternate config filem which does not load browser/DOM components:

Interesting use of Powershell:

Example: Analysing ORDER-10455.js

Taking malicious JavaScript from malwr.com: ORDER-10455.js

First run without interaction with remote servers:

you get something like:

Seems to be a “standard” behaviour of deobfuscation in order to finally download an exe binary and execute it.

If we want to get the real payload, run it with ‘–down=y’:

Example: Analysing Norri.js

Taking malicious JavaScript from malwr.com: Norri.js

Run:

you get: 

Behaviour is obvious from the log. Payload has been extracted into the output/TemporaryFolder_TempFile[15] file.

Example: Analysing Angler EK

Download and extract Angler EK from a pcap file at ANGLER EK SENDS CRYPTOWALL into a malware/angler/angler_full.html.

Strip the non Angler part and save as malware/angler/angler_stripped.html.

Remove 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

GitMiner – Tool for Advanced Content Search on Github

filename:.npmrc _auth npm registry authentication data filename:.dockercfg auth docker registry authentication data extension:pem private private keys extension:ppk private puttygen private keys filename:id_rsa or filename:id_dsa private ssh keys extension:sql mysql dump mysql dump extension:sql mysql dump password mysql dump look for password; you can try varieties filename:credentials aws_access_key_id might return false negatives with dummy values filename:.s3cfg might return false negatives with dummy values filename:wp-config.php wordpress config files filename:.htpasswd htpasswd files filename:.env DB_USERNAME NOT homestead laravel .env (CI, various ruby based frameworks too) filename:.env MAIL_HOST=smtp.gmail.com gmail smtp configuration (try different smtp services too) filename:.git-credentials git credentials store, add NOT username for more valid results PT_TOKEN language:bash pivotaltracker tokens filename:.bashrc password search for passwords, etc. in .bashrc (try with .bash_profile too) filename:.bashrc mailchimp variation of above (try more variations) filename:.bash_profile aws aws access and secret keys rds.amazonaws.com password Amazon RDS possible credentials extension:json api.forecast.io try variations, find api keys/secrets extension:json mongolab.com mongolab credentials in json configs extension:yaml mongolab.com mongolab credentials in yaml configs (try with yml) jsforce extension:js conn.login possible salesforce credentials in nodejs projects SF_USERNAME salesforce possible salesforce credentials filename:.tugboat NOT _tugboat Digital Ocean tugboat config HEROKU_API_KEY language:shell Heroku api keys HEROKU_API_KEY language:json Heroku api keys in json files filename:.netrc password netrc that possibly holds sensitive credentials filename:_netrc password netrc that possibly holds sensitive credentials filename:hub oauth_token hub config that stores github tokens filename:robomongo.json mongodb credentials file used by robomongo filename:filezilla.xml Pass filezilla config file with possible user/pass to ftp filename:recentservers.xml Pass filezilla config file with possible user/pass to ftp filename:config.json auths docker registry authentication data filename:idea14.key IntelliJ Idea 14 key, try variations for other versions filename:config irc_pass possible IRC config filename:connections.xml possible db connections configuration, try variations to be specific filename:express.conf path:.openshift openshift config, only email and server thou filename:.pgpass PostgreSQL file which can contain passwords filename:proftpdpasswd Usernames and passwords of proftpd created by cpanel filename:ventrilo_srv.ini Ventrilo configuration [WFClient] Password= extension:ica WinFrame-Client infos needed by users to connect toCitrix Application Servers filename:server.cfg rcon password Counter Strike RCON Passwords JEKYLL_GITHUB_TOKEN Github tokens used for jekyll filename:.bash_history Bash history file filename:.cshrc RC file for csh shell filename:.history history file (often used by many tools) filename:.sh_history korn shell history filename:sshd_config OpenSSH server config filename:dhcpd.conf DHCP service config filename:prod.exs NOT prod.secret.exs Phoenix prod configuration file filename:prod.secret.exs Phoenix prod secret filename:configuration.php JConfig password Joomla configuration file filename:config.php dbpasswd PHP application database password (e.g., phpBB forum software) path:sites databases password Drupal website database credentials shodan_api_key language:python Shodan API keys (try other languages too) filename:shadow path:etc Contains encrypted passwords and account information of new unix systems filename:passwd path:etc Contains user account information including encrypted passwords of traditional unix systems extension:avastlic “support.avast.com” Contains license keys for Avast! Antivirus filename:dbeaver-data-sources.xml DBeaver config containing MySQL Credentials filename:.esmtprc password esmtp configuration extension:json googleusercontent client_secret OAuth credentials for accessing Google APIs HOMEBREW_GITHUB_API_TOKEN language:shell Github token usually set by homebrew users xoxp OR xoxb Slack bot and private tokens .mlab.com password MLAB Hosted MongoDB Credentials filename:logins.json Firefox saved password collection (key3.db usually in same repo) filename:CCCam.cfg CCCam Server config file msg nickserv identify filename:config Possible IRC login passwords filename:settings.py SECRET_KEY Django secret keys (usually allows for session hijacking, RCE, etc) filename:secrets.yml password Usernames/passwords, Rails applications filename:master.key path:config Rails master key (used for decrypting credentials.yml.enc for Rails 5.2+) filename:deployment-config.json Created by sftp-deployment for Atom, contains server details and credentials filename:.ftpconfig Created by remote-ssh for Atom, contains SFTP/SSH server details and credentials filename:.remote-sync.json Created by remote-sync for Atom, contains FTP and/or SCP/SFTP/SSH server details and credentials filename:sftp.json path:.vscode Created by vscode-sftp for VSCode, contains SFTP/SSH server details and credentails filename:sftp-config.json Created by SFTP for Sublime Text, contains FTP/FTPS or SFTP/SSH server details and credentials filename:WebServers.xml Created by Jetbrains IDEs, contains webserver credentials with encoded passwords (not encrypted!) ******************************************************* ***************************************************************


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Gophish – An Open-Source Phishing Toolkit

Gophish - An Open-Source Phishing Toolkit

Gophish is a powerful, open-source phishing framework that makes the simulation of real-world phishing attacks dead-simple.

The idea behind gophish is simple – make industry-grade phishing training available to everyone. “Available” in this case means two things:

  • Affordable – Gophish is open-source software that is completely free for anyone to use.
  • Accessible – Gophish is written in the Go programming language. This has the benefit that gophish releases are compiled binaries with no dependencies. In a nutshell, this makes installation as simple as “download and run”!

How To Install Gophish

Gophish is provided as a pre-built binary for most operating systems. With this being the case, installation is as simple as downloading the ZIP file containing the binary that is built for your OS and extracting the contents.

Building Gophish from Source

Since Gophish is written in the Go programming language, it is extremely simple to build from source. All you will need is the Go language and a C compiler (such as gcc).

To build gophish from source, simply run go get github.com/gophish/gophish. This downloads gophish into your $GOPATH.

Next, navigate to $GOPATH/src/github.com/gophish/gophish and run the command go build. This builds a gophish binary in the current directory.

Understanding the config.json

There are some settings that are configurable via a file called config.json, located in the gophish root directory. Here are some of the options that you can set to your preferences:

Be careful: Since the config.json file contains database credentials, you will want to ensure it is only readable by the correct user. For Linux users, you can do this using chmod 640 config.json.

Exposing Gophish to the Internet

By default, the phish_server.listen_url is configured to listen on all interfaces. This means that if the host Gophish is running on is exposed to the Internet (such as running on a VPS), the phishing server will be exposed to the Internet.

If you also want the admin server to be accessible over the Internet, you will need to change the entry for the admin_server.listen_url to 0.0.0.0:3333.

Be careful: Exposing the admin server to the Internet should only be used if needed. Before exposing the admin server to the Internet, it’s highly recommended to change the default password.

Using MySQL

The default database in Gophish is SQLite. This is perfectly functional, but some environments may benefit from leveraging a more robust database such as MySQL.

Support for Mysql has been added as of 0.3-dev. To setup Gophish for Mysql, a couple extra steps are needed.

Update config.json:

First, change the entries in config.json to match your deployment:

Example:

The format for the db_path entry is

Update MySQL Config:

Gophish uses a datetime format that is incompatible with MySQL >= 5.7. To fix this, Add the following lines to the bottom of /etc/mysql/mysql.cnf:

The above settings are the default modes for MySQL, but with NO_ZERO_IN_DATE and NO_ZERO_DATE removed.

Create the Database:

The last step you’ll need to do to leverage Mysql is to create the gophish database. To do this, log into mysql and run the command

After that, you’ll be good to go!

Now that you have gophish installed, you’re ready to run the software. To launch gophish, simply open a command shell and navigate to the directory the gophish binary is located.

Then, execute the gophish binary. You will see some informational output showing both the admin and phishing web servers starting up, as well as the database being created. This output will tell you the port numbers you can use to connect to the web interfaces.

To run Gophish as a service in Linux distributions, you will need to setup a service script. You can refer to this Github issue for an example implementation.

Now that you have gophish installed, you’re ready to run the software. To launch gophish, simply open a command shell and navigate to the directory the gophish binary is located.

Then, execute the gophish binary. You will see some informational output showing both the admin and phishing web servers starting up, as well as the database being created. This output will tell you the port numbers you can use to connect to the web interfaces.

 If your phishing server is set to run on TCP port 80, then you may need to run Gophish as an administrator so that it can bind to the privileged port.

to reach the login page.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

A security overview of Content Management Systems – 10 minute mail

Any developer would probably agree Content Management Systems (CMS) make it easier for web development teams and marketing to work together. However CMS assets like blog.company.com are also web application based and could be targets of hacker attacks. Why’s that? Simply because they are based on commonly used technologies, communicate with end users, bring in organic or paid reader traffic and build brand awareness.

Many companies spend resources on securing their main applications and neglect to also audit the security of the CMS platform because who would want to hack a blog? More often than not it is more about the technology than content itself that’s interesting to hack, which is why CMS security needs attention as well. Here is our overview including expert advice from our security team:

Deciding between closed- vs open-source CMS platforms: 

Once you’ve decided to go with a CMS you’ll have to decide which vendor to go with and part of that is if it will be closed- or open-sourced. Cost and usability are key factors in the decision, but it’s also important to keep in mind the security maintenance expected to keep it up and running. Using an open-source program means that anyone can access the source code and there is freedom to make changes to the source code and customize it for your website needs. A lot of eyes on the code also means there are people out there interested in testing and breaking the code, especially in widely used platforms.

There are people out there testing the security of closed-source CMSes but it’s not at the same rate since they are only available with purchase; however, such platforms have internal security teams doing the testing and making fixes to keep up security. We receive vulnerability submissions for both closed- and open-sourced platforms from our Disposable mail Crowdsource community of 150+ handpicked white hat hackers.

Crowdsource module developer Kristian Bremberg reviews many of these submissions, and contrasts the two:

“Open source lets anyone look at the code, and therefore increases the chances of finding vulnerabilities. However, there’s no guarantee that the code will be reviewed by independent security researchers. Closed-source software is often owned by a company which spends money on internal code review and security testing.” A comparison of open- vs closed-source CMS tools

How to secure your CMS or blog site:

There’s a lot you can do to make sure security risks are alleviated when it comes to maintaining a CMS tool. We previously shared best practices on securing the Magento CMS application, and these same practices can be applied to any other CMS option too. Exploitation can be done through the hosting service, blog themes, plugins or extensions or user management, and it seems like a no-brainer to use the mentioned best practices:

Clean up your plugins In addition to the mentioned measures, it’s also imperative to ensure the plugins added to your CMS application are also secure to use. If you don’t use it, then uninstall it so it doesn’t become a security risk. Many plugins are hobby projects that are only updated once in while which means they can become vulnerable without the owners notice, and for that reason we recommend running automated scans that cover plugins. We often receive submissions for CMS plugins and it is something we are continuously open to receive from our Disposable mail Crowdsource white hat hackers.

Scan your CMS platforms for common vulnerabilities It’s common for Content Management Systems to be hosted on a platform that’s different from the main web application. For example, blog.company.com may be hosted on a CMS like WordPress which is not regularly monitored by a web development team and the code may not always be reviewed after updates or adding features. By using a tool like Disposable mail to check a CMS for vulnerabilities, a findings report will show any vulnerabilities that may exist in the web application and with remediation tips. A code-savvy marketer could try to then fix the issue on their own or share it with a web developer or agency for the issue to be resolved.

Additional best practices:

  • 2FA and requirements for complicated passwords
  • Always use the latest version of the software
  • Subscribe to product and security updates from the vendor via social media or mailing lists

Expert point of view: how secure are CMSes and plugins?

We asked our co-founder and top-ranked security researcher, Fredrik Nordberg Almroth, about CMS security and here is what he had to say:

“If I were to approach this [an open-source CMS], I would not start with the main application since this where most security resources are spent and where most people are looking. I would look for other points of entry where few people are monitoring yet highly used like blog themes and plugins. In fact, plugins are the biggest concern, and small but chainable vulnerabilities are mostly here.”

Image: Disposable mail co-founder and top-ranked ethical hacker, Fredrik Nordberg Almroth, has legally hacked many tech giants including Google and Dropbox.

Fredrik Nordberg Almroth says:

“exploiting such chained vulnerabilities can usually impact other assets and infrastructure not directly related to the affected CMS. An example could be a simple reflected XSS that can be used to steal login credentials, which may be used elsewhere on other systems to a cookie XSS that affects sibling subdomains. An other example could be a server-side request forgery (SSRF) attack, that could be leveraged to access internal databases, CI systems and other internal assets.”

Although there is this risk whenever downloading a plugin or theme for open-source CMSes like WordPress and Joomla, Fredrik assures that in general open-source options are quite secure as long as you work proactively with security. There can be rare cases like Drupalgeddon 2.0 (CVE-2018-7600), and since they have high severity impact, they are often short-lived as patches are made as soon as possible to save the masses. CMSes that are SaaS-based are automatically updated making it even easier for users.

However not everyone checks the compatibility and security of a plugin or bundled application, and popular ones are downloaded at least 50,000 times so you can imagine the damage one web vulnerability could have. Some infamous examples include the bundling of ImageMagick and CK Editor applications, where a hacker was able to execute a RCE and XSS respectively. When it comes to closed-source CMSes, there are fewer people looking at these systems outside of the product security teams since one would need paid license access to get to the source code. However vulnerabilities could be found by the vendor’s own security testing activities or bug bounty hunters before a malicious actor gets to it.

Closing comments:

Overall CMSes are secure to use, and from a security standpoint, open-source platforms have an edge because they have more eyes examining the code and updates including security patches are automatic if they are web-based. If you have a CMS it’s most important to keep good user access security, use updated versions of the software and do research on plugins before using them.

CMSes are easy to use but can also be an easy way into your main application if its security is not monitored. Adding these pages like blog.company.com to the security scanning routine is a simple step to take to eliminate the risks.

Disposable mail is a SaaS-based web application scanner powered by ethical hackers. Our tool tests for 1000+ commonly found vulnerabilities including tests for WordPress, Joomla, Drupal, Liferay, Serendipity and other CMS and plugins/extensions. Have you checked the security of your CMS web applications? Try our tool for free and start securing your CMS today.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.